Professional Documents
Culture Documents
Selenium, Inicio 10
Selenium, Inicio 10
@MB_CYBER
and internet provider, following reports last
year that the company was targeted in a
top-secret surveillance operation carried out
by British spy agency Government
Communications Headquarters, industry
sources told �e Intercept.
@MB_CYBER
Union have confirmed to �e Intercept that the
Regin malware was found on their systems
a�er they were compromised, linking the spy
tool to the secret GCHQ and NSA operations.
@MB_CYBER
A spokesman for Belgacom declined to
comment specifically about the Regin
revelations, but said that the company had
shared “every element about the attack” with
a federal prosecutor in Belgium who is
conducting a criminal investigation into the
intrusion. “It’s impossible for us to comment
on this,” said Jan Margot, a spokesman for
Belgacom. “It’s always been clear to us the
malware was highly sophisticated, but ever
since the clean-up this whole story belongs to
the past for us.”
@MB_CYBER
internal systems in 2010 by targeting
engineers at the company. �e agency secretly
installed so-called malware “implants” on the
employees’ computers by sending their
internet connection to a fake LinkedIn page.
�e malicious LinkedIn page launched a
malware attack, infecting the employees’
computers and giving the spies total control of
their systems, allowing GCHQ to get deep
inside Belgacom’s networks to steal data.
@MB_CYBER
so�ware implants used in this case were part
of the suite of malware now known as Regin.
Origin of Regin
In Nordic mythology, the name Regin is
associated with a violent dwarf who is
corrupted by greed. It is unclear how the Regin
malware first got its name, but the name
appeared for the first time on the VirusTotal
website on March 9th 2011.
@MB_CYBER
@MB_CYBER
�is entry was first published on: Mar 2011 ,09
Loaders
�e first stage are drivers which act as loaders
for a second stage. �ey have an encrypted
block which points to the location of the 2nd
stage payload. On NTFS, that is an Extended
Attribute Stream; on FAT, they use the registry
to store the body. When started, this stage
simply loads and executes Stage 2.
serial.sys
cdaudio.sys
atdisk.sys
parclass.sys
@MB_CYBER
@MB_CYBER
usbclass.sys
@MB_CYBER
@MB_CYBER
Orchestrator
�is component consists of a service
orchestrator working in Windows’ kernel. It
initializes the core components of the
architecture and loads the next parts of the
malware.
Information Harvesters
�is stage is composed of a service
orchestrator located in user land, provided
with many modules which are loaded
dynamically as needed. �ese modules can
include data collectors, a self-defense engine
which detects if attempts to detect the toolkit
occur, functionality for encrypted
@MB_CYBER
@MB_CYBER
communications, network capture programs,
and remote controllers of di�erent kinds.
Stealth Implant
�e Intercept’s investigation revealed a sample
uploaded on VirusTotal on March 14th 2012
that presents the unique 0xfedcbafe header,
which is a sign that it might have been loaded
by a Regin driver and it appears to provide
stealth functionality for the tool kit.
@MB_CYBER
@MB_CYBER
�is picture shows the very first bytes of the
sample in question, showing the unique
0xfedcbafe header at the beginning.
fe1419e9dde6d479bd7cda27edd39fafdab2668
d498931931a2769b370727129
Belgacom Sample
In an interview given to the Belgian magazine
MondiaalNiews, Fabrice Clément, head of
security of Belgacom, said that the company
first identified the attack on June 2013 ,21.
@MB_CYBE
In the same interview Clément says that the
computers targeted by the attackers included
sta� workstations as well as email servers.
�e archive contains:
@MB_CYBER
malware. From the content of the Get�is.log
file, we can see that a sample called
“svcsstat.exe” and located in
C:\Windows\System32\ was collected and a
copy of it was stored.
�e malware in question is
“0001000000000C1C_svcsstat.exe_sample ”.
�is is a 64bit variant of the first stage Regin
loader aforementioned.
@MB_CYBER
�is file identifies the infected system and
provides a variety of interesting information
about the network. For instance:
USERDNSDOMAIN=BGC.NET
USERDOMAIN=BELGACOM
USERNAME=id051897a
USERPROFILE=C:\Users\id051897a
@MB_CYBER
SQL server and a Microso� Exchange server,
indicating that it might one of the
compromised corporate mail server Fabrice
Clément mentioned to Mondiaal News:
P a t h = C : \ P r o g r a m
Files\Legato\nsr\bin;C:\Windows\system32;C
:\Windows;C:\Windows\System32
\Wbem;C:\Windows\System32\WindowsPow
erShell\v1.0\;C:\Program Files\Microso�
Network Monitor 3\;C:
\Program Files\System Center Operations
Manager 2007\;c:\Program Files
(x86)\Microso� SQL Server
\ 9 0 \ To o l s \ bi n n \ ; D : \ P r o g r a m
Files\Microso�\Exchange Server\bin
@MB_CYBER
Given that that it has been over a year since the
Belgacom operation was publicly outed, �e
Intercept considers it likely that the
GCHQ/NSA has replaced their toolkit and no
current operations will be a�ected by the
publication of these samples.
Regin Samples
32-bit Loaders
20831e820af5f41353b5afab659f2ad42ec6df5d
9692448872f3ed8bbb40ab92
7553d4a5914af58b23a9e0ce6a262cd230ed8b
b2c30da3d42d26b295f9144ab7
f89549fc84a8d0f8617841c6aa4bb1678ea2b60
81c1f7f74ab1aebd4db4176e4
fd92fd7d0f925ccc0b4cbb6b402e8b99b64fa6
a4636d985d78e5507bd4cfecef
225e9596de85ca7b1025d6e444f6a01aa6507fe
ef213f4d2e20da9e7d5d8e430
9cd5127ef31da0e8a4e36292f2af5a9ec1de3b29
4da367d7c05786fe2d5de44f
b12c7d57507286bbbe36d7acf9b34c22c96606
�d904e3c23008399a4a50c047
f1d903251db466d35533c28e3c032b7212aa43c8
d64ddf8c5521b43031e69e1e
4e39bc95e35323ab586d740725a1c8cbcde01fe
453f7c4cac7cced9a26e42cc9
a0d82c3730bc41e267711480c8009883d1412b6
8977ab175421eabc34e4ef355
a7493fac96345a989b1a03772444075754a2ef11
daa22a7600466adc1f69a669
5001793790939009355ba841610412e0f8d60e
f5461f2ea272ccf4fd4c83b823
a6603f27c42648a857b8a1cbf301ed4f0877be75
627f6bbe99c0bfd9dc4adb35
8d7be9ed64811ea7986d788a75cbc4ca166702c
6�68c33873270d7c6597f5db
40c46bcab9acc0d6d235491c01a66d4c6f35d8
84c19c6f410901af6d1e33513b
df77132b5c192bd8d2d26b1ebb19853cf03b01d3
8afd5d382ce77e0d7219c18c
7d38eb24cf5644e090e45d5efa923a�0e69a60
0�0ab627e8929bb485243926
a7e3ad8ea7edf1ca10b0e5b0d976675c3016e59
33219f97e94900dea0d470abe
a0e3c52a2c99c39b70155a9115a6c74ea79f8a68
111190faa45a8fd1e50f8880
d42300fea6eddcb2f65�ec9e179e46d87d91a�
ad55510279ecbb0250d7fd�
5c81cf8262f9a8b0e100d2a220f7119e54edfc10c
4�906ab7848a015cd12d90
b755ed82c908d92043d4ec3723611c6c5a7c162
e78ac8065eb77993447368fce
c0cf8e008�fa0cb2c61d968057b4a077d62f64
d7320769982d28107db370513
cca1850725f278587845cd19c
bdf3dceb6f65790d11df950f17c5�6beb18601
ecd7de3387b64b7dab9a7�52e8aa65cb7ec919
3f8eac6a7d79407a6a932ef69
e1ba03a10a40aab909b2ba58dcdfd378b4d264
f1f4a554b669797bbb8c8ac902
392f32241cd3448c7a435935f2�0d2cdc609dda
81dd4946b1c977d25134e96e
9ddbe7e77cb5616025b92814d68adfc9c3e076
dddbe29de6eb73701a172c3379
8389b0d3�28a5f525742ca2bf80a81cf264c80
6f99ef684052439d6856bc7e7
32-bit Rootkit
fe1419e9dde6d479bd7cda27edd39fafdab2668
d498931931a2769b370727129
32-bit Orchestrator
e420d0cf7a7983f78f5a15e6cb460e93c760368
3ae6c41b27bf7f2fa34b2d935
4139149552b0322f2c5c993abccc0f0d1b38db4
476189a9f9901ac0d57a656be